kprobes 机制

Kprobe机制是内核提供的一种调试机制，它提供了一种方法，能够在不修改现有代码的基础上，灵活的跟踪内核函数的执行。它的基本工作原理是：用户指定一个探测点，并把一个用户定义的处理函数关联到该探测点，当内核执行到该探测点时，相应的关联函数被执行，然后继续执行正常的代码路径。

Kprobe提供了三种形式的探测点，一种是最基本的kprobe，能够在指定代码执行前、执行后进行探测，但此时不能访问被探测函数内的相关变量信息；一种是jprobe，用于探测某一函数的入口，并且能够访问对应的函数参数；一种是kretprobe，用于完成指定函数返回值的探测功能。其中最基本的就是kprobe机制，jprobe以及kretprobe的实现都依赖于kprobe，但其代码的实现都很巧妙，强烈建议每一个内核爱好者阅读。

好了，闲话少叙，开始上代码：

首先是struct kprobe结构，每一个探测点的基本结构。

点击(此处)折叠或打开

1. struct kprobe {
   

2. /*用于保存kprobe的全局hash表，以被探测的addr为key*/
   

3. struct hlist_node hlist;
   

4. 
   

5. /* list of kprobes for multi-handler support */
   

6. /*当对同一个探测点存在多个探测函数时，所有的函数挂在这条链上*/
   

7. struct list_head list;
   

8. 
   

9. /*count the number of times this probe was temporarily disarmed */
   

10. unsigned long nmissed;
    

11. 
    

12. /* location of the probe point */
    

13. /*被探测的目标地址*/
    

14. kprobe_opcode_t *addr;
    

15. 
    

16. /* Allow user to indicate symbol name of the probe point */
    

17. /*symblo_name的存在，允许用户指定函数名而非确定的地址*/
    

18. constchar*symbol_name;
    

19. 
    

20. /* Offset into the symbol */
    

21. /*如果被探测点为函数内部某个指令，需要使用addr + offset的方式*/
    

22. unsigned int offset;
    

23. 
    

24. /* Called before addr is executed. */
    

25. /*探测函数，在目标探测点执行之前调用*/
    

26. kprobe_pre_handler_t pre_handler;
    

27. 
    

28. /* Called after addr is executed, unless... */
    

29. /*探测函数，在目标探测点执行之后调用*/
    

30. kprobe_post_handler_t post_handler;
    

31. 
    

32. /*
    

33. * ... called if executing addr causes a fault (eg. page fault).
    

34. * Return 1 if it handled fault, otherwise kernel will see it.
    

35. */
    

36. kprobe_fault_handler_t fault_handler;
    

37. 
    

38. /*
    

39. * ... called if breakpoint trap occurs in probe handler.
    

40. * Return 1 if it handled break, otherwise kernel will see it.
    

41. */
    

42. kprobe_break_handler_t break_handler;
    

43. 
    

44. /*opcode 以及 ainsn 用于保存被替换的指令码*/
    

45. 
    

46. /* Saved opcode (which has been replaced with breakpoint) */
    

47. kprobe_opcode_t opcode;
    

48. 
    

49. /* copy of the original instruction */
    

50. struct arch_specific_insn ainsn;
    

51. 
    

52. /*
    

53. * Indicates various status flags.
    

54. * Protected by kprobe_mutex after this kprobe is registered.
    

55. */
    

56. u32 flags;
    

57. };

对于kprobe功能的实现主要利用了内核中的两个功能特性：异常（尤其是int 3），单步执行（EFLAGS中的TF标志）。

大概的流程：

1）在注册探测点的时候，对被探测函数的指令码进行替换，替换为int 3的指令码；

2）在执行int 3的异常执行中，通过通知链的方式调用kprobe的异常处理函数；

3）在kprobe的异常出来函数中，判断是否存在pre_handler钩子，存在则执行；

4）执行完后，准备进入单步调试，通过设置EFLAGS中的TF标志位，并且把异常返回的地址修改为保存的原指令码；

5）代码返回，执行原有指令，执行结束后触发单步异常；

6）在单步异常的处理中，清除单步标志，执行post_handler流程，并最终返回；

下面又进入代码时间，首先看一下kprobe模块的初始化代码，初始化代码主要做了两件事：标记出哪些代码是不能被探测的，这些代码属于kprobe实现的关键代码；注册通知链到die_notifier，用于接收异常通知。

点击(此处)折叠或打开

1. 初始化代码位于kernel/kprobes.c中
   

2. staticint __init init_kprobes(void)
   

3. {
   

4. int i, err = 0;
   

5. ....
   

6. 
   

7. /*kprobe_blacklist中保存的是kprobe实现的关键代码路径，这些函数不应该被kprobe探测*/
   

8. /*
   

9. * Lookup and populate the kprobe_blacklist.
   

10. *
    

11. * Unlike the kretprobe blacklist, we'll need to determine
    

12. * the range of addresses that belong to the said functions,
    

13. * since a kprobe need not necessarily be at the beginning
    

14. * of a function.
    

15. */
    

16. for(kb = kprobe_blacklist; kb->name!=NULL; kb++){
    

17. kprobe_lookup_name(kb->name, addr);
    

18. if(!addr)
    

19. continue;
    

20. 
    

21. kb->start_addr =(unsigned long)addr;
    

22. symbol_name = kallsyms_lookup(kb->start_addr,
    

23. &size,&offset,&modname, namebuf);
    

24. if(!symbol_name)
    

25. kb->range = 0;
    

26. else
    

27. kb->range =size;
    

28. }
    

29. ....
    

30. if(!err)
    

31. /*注册通知链到die_notifier，用于接收int 3的异常信息*/
    

32. err = register_die_notifier(&kprobe_exceptions_nb);
    

33. ....
    

34. }
    

35. 其中的通知链：
    

36. staticstruct notifier_block kprobe_exceptions_nb ={
    

37. .notifier_call = kprobe_exceptions_notify,
    

38. /*优先级最高，保证最先执行*/
    

39. .priority = 0x7fffffff /* we need to be notified first */
    

40. };

kprobe的注册流程register_kprobe。

点击(此处)折叠或打开

1. int __kprobes register_kprobe(struct kprobe *p)
   

2. {
   

3. int ret = 0;
   

4. struct kprobe *old_p;
   

5. struct module *probed_mod;
   

6. kprobe_opcode_t *addr;
   

7. 
   

8. /*获取被探测点的地址，指定了symbol_name，则从kallsyms中获取；指定了offset，则返回addr + offset*/
   

9. addr = kprobe_addr(p);
   

10. if(!addr)
    

11. return-EINVAL;
    

12. p->addr = addr;
    

13. 
    

14. /*判断同一个kprobe是否被重复注册*/
    

15. ret = check_kprobe_rereg(p);
    

16. if(ret)
    

17. return ret;
    

18. 
    

19. jump_label_lock();
    

20. preempt_disable();
    

21. /*判断被注册的函数是否位于内核的代码段内，或位于不能探测的kprobe实现路径中*/
    

22. if(!kernel_text_address((unsigned long) p->addr)||
    

23. in_kprobes_functions((unsigned long) p->addr)||
    

24. ftrace_text_reserved(p->addr, p->addr)||
    

25. jump_label_text_reserved(p->addr, p->addr))
    

26. goto fail_with_jump_label;
    

27. 
    

28. /* User can pass only KPROBE_FLAG_DISABLED to register_kprobe */
    

29. p->flags&= KPROBE_FLAG_DISABLED;
    

30. 
    

31. /*
    

32. * Check if are we probing a module.
    

33. */
    

34. /*判断被探测的地址是否属于某一个模块，并且位于模块的text section内*/
    

35. probed_mod = __module_text_address((unsigned long) p->addr);
    

36. if(probed_mod){
    

37. /*如果被探测的为模块地址，首先要增加模块的引用计数*/
    

38. /*
    

39. * We must hold a refcount of the probed module while updating
    

40. * its code to prohibit unexpected unloading.
    

41. */
    

42. if(unlikely(!try_module_get(probed_mod)))
    

43. goto fail_with_jump_label;
    

44. 
    

45. /*
    

46. * If the module freed .init.text, we couldn't insert
    

47. * kprobes in there.
    

48. */
    

49. /*如果被探测的地址位于模块的init地址段内，但该段代码区间已被释放，则直接退出*/
    

50. if(within_module_init((unsigned long)p->addr, probed_mod)&&
    

51. probed_mod->state!= MODULE_STATE_COMING){
    

52. module_put(probed_mod);
    

53. goto fail_with_jump_label;
    

54. }
    

55. }
    

56. preempt_enable();
    

57. jump_label_unlock();
    

58. 
    

59. p->nmissed = 0;
    

60. INIT_LIST_HEAD(&p->list);
    

61. mutex_lock(&kprobe_mutex);
    

62. 
    

63. jump_label_lock();/* needed to call jump_label_text_reserved() */
    

64. 
    

65. get_online_cpus();/* For avoiding text_mutex deadlock. */
    

66. mutex_lock(&text_mutex);
    

67. 
    

68. /*判断在同一个探测点是否已经注册了其他的探测函数*/
    

69. old_p = get_kprobe(p->addr);
    

70. if(old_p){
    

71. /* Since this may unoptimize old_p, locking text_mutex. */
    

72. /*如果已经存在注册过的kprobe，则将探测点的函数修改为aggr_pre_handler，并将所有的handler挂载到其链表上，由其负责所有handler函数的执行*/
    

73. ret = register_aggr_kprobe(old_p, p);
    

74. goto out;
    

75. }
    

76. 
    

77. /* 分配特定的内存地址用于保存原有的指令
    

78. * 按照内核注释，被分配的地址必须must be on special executable page on x86.
    

79. * 该地址被保存在kprobe->ainsn.insn
    

80. */
    

81. ret = arch_prepare_kprobe(p);
    

82. if(ret)
    

83. goto out;
    

84. 
    

85. /*将kprobe加入到相应的hash表内*/
    

86. INIT_HLIST_NODE(&p->hlist);
    

87. hlist_add_head_rcu(&p->hlist,
    

88. &kprobe_table[hash_ptr(p->addr, KPROBE_HASH_BITS)]);
    

89. 
    

90. if(!kprobes_all_disarmed &&!kprobe_disabled(p))
    

91. /*将探测点的指令码修改为int 3指令*/

92. __arm_kprobe(p);
    

93. 
    

94. /* Try to optimize kprobe */
    

95. try_to_optimize_kprobe(p);
    

96. 
    

97. out:
    

98. mutex_unlock(&text_mutex);
    

99. put_online_cpus();
    

100. jump_label_unlock();
     

101. mutex_unlock(&kprobe_mutex);
     

102. 
     

103. if(probed_mod)
     

104. module_put(probed_mod);
     

105. 
     

106. return ret;
     

107. 
     

108. fail_with_jump_label:
     

109. preempt_enable();
     

110. jump_label_unlock();
     

111. return-EINVAL;

注册完毕，就开始kprobe的执行流程了。对于该探测点，由于其起始指令已经被修改为int3，因此在执行到该地址时，必然会触发3号中断向量的处理流程do_int3.

点击(此处)折叠或打开

1. /* May run on IST stack. */
   

2. dotraplinkage void __kprobes do_int3(struct pt_regs *regs,long error_code)
   

3. {
   

4. #ifdef CONFIG_KGDB_LOW_LEVEL_TRAP
   

5. if(kgdb_ll_trap(DIE_INT3,"int3", regs, error_code, 3, SIGTRAP)
   

6. == NOTIFY_STOP)
   

7. return;
   

8. #endif /* CONFIG_KGDB_LOW_LEVEL_TRAP */
   

9. #ifdef CONFIG_KPROBES
   

10. /*在这里以DIE_INT3，通知kprobe注册的通知链*/

11. if(notify_die(DIE_INT3,"int3", regs, error_code, 3, SIGTRAP)
    

12. == NOTIFY_STOP)
    

13. return;
    

14. #else
    

15. if(notify_die(DIE_TRAP,"int3", regs, error_code, 3, SIGTRAP)
    

16. == NOTIFY_STOP)
    

17. return;
    

18. #endif
    

19. 
    

20. preempt_conditional_sti(regs);
    

21. do_trap(3, SIGTRAP,"int3", regs, error_code,NULL);
    

22. preempt_conditional_cli(regs);
    

23. }

在do_int3中触发kprobe注册的通知链函数，kprobe_exceptions_notify。由于kprobe以及jprobe等机制的处理核心都在此函数内，这里只针对kprobe的流程进行分析：进入函数的原因是DIE_INT3,并且是第一次进入该函数。

点击(此处)折叠或打开

1. int __kprobes kprobe_exceptions_notify(struct notifier_block *self,
   

2. unsigned long val,void*data)
   

3. {
   

4. struct die_args *args = data;
   

5. int ret = NOTIFY_DONE;
   

6. 
   

7. if(args->regs && user_mode_vm(args->regs))
   

8. return ret;
   

9. 
   

10. switch(val){
    

11. case DIE_INT3:
    

12. /*对于kprobe，进入kprobe_handle*/

13. if(kprobe_handler(args->regs))
    

14. ret = NOTIFY_STOP;
    

15. break;
    

16. case DIE_DEBUG:
    

17. if(post_kprobe_handler(args->regs)){
    

18. /*
    

19. * Reset the BS bit in dr6 (pointed by args->err) to
    

20. * denote completion of processing
    

21. */
    

22. (*(unsigned long*)ERR_PTR(args->err))&=~DR_STEP;
    

23. ret = NOTIFY_STOP;
    

24. }
    

25. break;
    

26. case DIE_GPF:
    

27. /*
    

28. * To be potentially processing a kprobe fault and to
    

29. * trust the result from kprobe_running(), we have
    

30. * be non-preemptible.
    

31. */
    

32. if(!preemptible()&& kprobe_running()&&
    

33. kprobe_fault_handler(args->regs, args->trapnr))
    

34. ret = NOTIFY_STOP;
    

35. break;
    

36. default:
    

37. break;
    

38. }
    

39. return ret;
    

40. }

点击(此处)折叠或打开

1. staticint __kprobes kprobe_handler(struct pt_regs *regs)
   

2. {
   

3. kprobe_opcode_t *addr;
   

4. struct kprobe *p;
   

5. struct kprobe_ctlblk *kcb;
   

6. 
   

7. /*对于int 3中断，其被Intel定义为Trap，那么异常发生时EIP寄存器内指向的为异常指令的后一条指令*/

8. addr =(kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
   

9. /*
   

10. * We don't want to be preempted for the entire
    

11. * duration of kprobe processing. We conditionally
    

12. * re-enable preemption at the end of this function,
    

13. * and also in reenter_kprobe() and setup_singlestep().
    

14. */
    

15. preempt_disable();
    

16. 
    

17. kcb = get_kprobe_ctlblk();
    

18. /*获取addr对应的kprobe*/

19. p = get_kprobe(addr);
    

20. 
    

21. if(p){
    

22. /*如果异常的进入是由kprobe导致，则进入reenter_kprobe(jprobe需要，到时候分析)*/

23. if(kprobe_running()){
    

24. if(reenter_kprobe(p, regs, kcb))
    

25. return 1;
    

26. }else{
    

27. set_current_kprobe(p, regs, kcb);
    

28. kcb->kprobe_status = KPROBE_HIT_ACTIVE;
    

29. 
    

30. /*
    

31. * If we have no pre-handler or it returned 0, we
    

32. * continue with normal processing. If we have a
    

33. * pre-handler and it returned non-zero, it prepped
    

34. * for calling the break_handler below on re-entry
    

35. * for jprobe processing, so get out doing nothing
    

36. * more here.
    

37. */
    

38. /*执行在此地址上挂载的pre_handle函数*/

39. if(!p->pre_handler ||!p->pre_handler(p, regs))
    

40. /*设置单步调试模式，为post_handle函数的执行做准备*/

41. setup_singlestep(p, regs, kcb, 0);
    

42. return 1;
    

43. }
    

44. }elseif(*addr != BREAKPOINT_INSTRUCTION){
    

45. /*
    

46. * The breakpoint instruction was removed right
    

47. * after we hit it. Another cpu has removed
    

48. * either a probepoint or a debugger breakpoint
    

49. * at this address. In either case, no further
    

50. * handling of this interrupt is appropriate.
    

51. * Back up over the (now missing) int3 and run
    

52. * the original instruction.
    

53. */
    

54. regs->ip =(unsigned long)addr;
    

55. preempt_enable_no_resched();
    

56. return 1;
    

57. }elseif(kprobe_running()){
    

58. p = __this_cpu_read(current_kprobe);
    

59. if(p->break_handler && p->break_handler(p, regs)){
    

60. setup_singlestep(p, regs, kcb, 0);
    

61. return 1;
    

62. }
    

63. }/* else: not a kprobe fault; let the kernel handle it */
    

64. 
    

65. preempt_enable_no_resched();
    

66. return 0;
    

67. }

点击(此处)折叠或打开

1. staticvoid __kprobes setup_singlestep(struct kprobe *p,struct pt_regs *regs,
   

2. struct kprobe_ctlblk *kcb,int reenter)
   

3. {
   

4. if(setup_detour_execution(p, regs, reenter))
   

5. return;
   

6. 
   

7. #if!defined(CONFIG_PREEMPT)
   

8. if(p->ainsn.boostable == 1 &&!p->post_handler){
   

9. /* Boost up -- we can execute copied instructions directly */
   

10. if(!reenter)
    

11. reset_current_kprobe();
    

12. /*
    

13. * Reentering boosted probe doesn't reset current_kprobe,
    

14. * nor set current_kprobe, because it doesn't use single
    

15. * stepping.
    

16. */
    

17. regs->ip =(unsigned long)p->ainsn.insn;
    

18. preempt_enable_no_resched();
    

19. return;
    

20. }
    

21. #endif
    

22. /*jprobe*/

23. if(reenter){
    

24. save_previous_kprobe(kcb);
    

25. set_current_kprobe(p, regs, kcb);
    

26. kcb->kprobe_status = KPROBE_REENTER;
    

27. }else
    

28. kcb->kprobe_status = KPROBE_HIT_SS;
    

29. /* Prepare real single stepping */
    

30. /*准备单步模式，设置EFLAGS的TF标志位，清楚IF标志位(禁止中断)*/

31. clear_btf();
    

32. regs->flags|= X86_EFLAGS_TF;
    

33. regs->flags&=~X86_EFLAGS_IF;
    

34. /* single step inline if the instruction is an int3 */
    

35. if(p->opcode == BREAKPOINT_INSTRUCTION)
    

36. regs->ip =(unsigned long)p->addr;
    

37. else
    

38. /*设置异常返回的指令为保存的被探测点的指令*/

39. regs->ip =(unsigned long)p->ainsn.insn;
    

40. }

对应kprobe,pre_handle的执行就结束了，按照代码，程序开始执行保存的被探测点的指令，由于开启了单步调试模式，执行完指令后会继续触发异常，这次的是do_debug异常处理流程。

点击(此处)折叠或打开

1. dotraplinkage void __kprobes do_debug(struct pt_regs *regs,long error_code)
   

2. {
   

3. ....

4. 
   

5. /*在do_debug中，以DIE_DEBUG再一次触发kprobe的通知链*/

6. if(notify_die(DIE_DEBUG,"debug", regs, PTR_ERR(&dr6), error_code,
   

7. SIGTRAP)== NOTIFY_STOP)
   

8. return;

9. 
   

10. ....

11. return;
    

12. }

点击(此处)折叠或打开

1. /*对于kprobe_exceptions_notify，其DIE_DEBUG处理流程*/

2. case DIE_DEBUG:
   

3. if(post_kprobe_handler(args->regs)){
   

4. /*
   

5. * Reset the BS bit in dr6 (pointed by args->err) to
   

6. * denote completion of processing
   

7. */
   

8. (*(unsigned long*)ERR_PTR(args->err))&=~DR_STEP;
   

9. ret = NOTIFY_STOP;
   

10. }
    

11. break;
    

12. 
    

13. staticint __kprobes post_kprobe_handler(struct pt_regs *regs)
    

14. {
    

15. struct kprobe *cur = kprobe_running();
    

16. struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
    

17. 
    

18. if(!cur)
    

19. return 0;
    

20. 
    

21. /*设置异常返回的EIP为下一条需要执行的指令*/
    

22. resume_execution(cur, regs, kcb);
    

23. /*恢复异常执行前的EFLAGS*/
    

24. regs->flags|= kcb->kprobe_saved_flags;
    

25. 
    

26. /*执行post_handler函数*/
    

27. if((kcb->kprobe_status != KPROBE_REENTER)&& cur->post_handler){
    

28. kcb->kprobe_status = KPROBE_HIT_SSDONE;
    

29. cur->post_handler(cur, regs, 0);
    

30. }
    

31. 
    

32. /* Restore back the original saved kprobes variables and continue. */
    

33. if(kcb->kprobe_status == KPROBE_REENTER){
    

34. restore_previous_kprobe(kcb);
    

35. goto out;
    

36. }
    

37. reset_current_kprobe();
    

38. out:
    

39. preempt_enable_no_resched();
    

40. 
    

41. /*
    

42. * if somebody else is singlestepping across a probe point, flags
    

43. * will have TF set, in which case, continue the remaining processing
    

44. * of do_debug, as if this is not a probe hit.
    

45. */
    

46. if(regs->flags& X86_EFLAGS_TF)
    

47. return 0;
    

48. 
    

49. return 1;
    

50. }

至此，一个典型的kprobe的流程已经执行完毕了。

转载于:https://blog.51cto.com/linuxkernel/1317591